Are there any existing user authentication libraries for node.js? In particular I'm looking for something that can do password authentication for a user (using a custom backend auth DB), and associate that user with a session.

Before I wrote an auth library, I figured I would see if folks knew of existing libraries. Couldn't find anything obvious via a google search.

I developed Passport after investigating both connect-auth and everyauth. While they are both great modules, they didn't suit my needs. I wanted something that was more light-weight and unobtrusive.

Passport is broken down into separate modules, so you can choose to use only what you need (OAuth, only if necessary). Passport also does not mount any routes in your application, giving you the flexibility to decide when and where you want authentication, and hooks to control what happens when authentication succeeds or fails.

For example, here is the two-step process to setup form-based (username and password) authentication:

I disagree with your conclusion that the connect-auth plugin is the way to go.

IMHO breaks connect-auth the very powerful and easy to read onion-ring architecture of connect. A no-go - my opinion :).
You can find a very good and short article about how connect works and the onion ring idea here.

If you - as written - just want to use a basic or http login with database or file. Connect-auth is way too big. It's more for stuff like OAuth 1.0, OAuth 2.0 & Co

A very simple authentication with connect

(It's complete. Just execute it for testing but if you want to use it in production, make sure to use https)
(And to be REST-Principle-Compliant you should use a POST-Request instead of a GET-Request b/c you change a state :)

Why does connect-auth break the onion/layers pattern? is it because it doesn't use next()? Could it?
–
jpstrikesbackFeb 14 '11 at 13:55

3

Yes. It must use next() because thats the idea behind connect. Connect has a layer-architecture / form of code structure. And every layer has the power to stop the request execution by not calling next(). If we are talking about authentication: An authentication layer will check if the user has the correct permissions. If everything is fine the layer calls next(). If not this auth-layer generates an error and will not call next().
–
MatthiasFeb 15 '11 at 15:46

man, this is exactly what I was looking for. connect-auth was giving me a bit of indigestion. I just logged into my app for the first time. thanks so much.
–
Andy RayJun 17 '11 at 5:35

6

This still doesn't help to answer how to connect to a database backend (preferably with encrypted passwords). I appreciate your comment that this one library is over-engineered, but surely there is one that isn't. Also, if I wanted to write my own auth system I would have used Struts in Java. just like the OP, I want to know which plugins will do that for me in 1 line of code.
–
hendrixskiJul 22 '11 at 5:22

4

great answer Nivoc. Doesn't work with latest versions of connect tho. I had to change... cookieDecoder() --> cookieParser() and bodyDecoder() --> bodyParser() and remove the next() call from helloWorldContent function as i was getting an error 'Can't set headers after they are sent'
–
Michael DausmannAug 1 '11 at 0:55

hey, do you have an example of what you did? simply requiring connect-auth and calling “.authenticate” on “req” returns “TypeError: Object # has no method 'authenticate'“ for me.
–
gryzzlySep 12 '10 at 11:21

1

IMHO This Plugin is way to heavy for simple http authentification
–
MatthiasFeb 19 '11 at 22:51

And this plugin works against the connect onion ring architecture
–
MatthiasMar 16 '11 at 9:31

I was basically looking for the same thing. Specifically, I wanted the following:

To use express.js, which wraps Connect's middleware capability

"Form based" authentication

Granular control over which routes are authenticated

A database back-end for users/passwords

Use sessions

What I ended up doing was creating my own middleware function check_auth that I pass as an argument to each route I want authenticated. check_auth merely checks the session and if the user is not logged in, then redirects them to the login page, like so:

function check_auth(req, res, next) {
// if the user isn't logged in, redirect them to a login page
if(!req.session.login) {
res.redirect("/login");
return; // the buck stops here... we do not call next(), because
// we don't want to proceed; instead we want to show a login page
}
// the user is logged in, so call next()
next();
}

Then for each route, I ensure this function is passed as middleware. For example:

app.get('/tasks', check_auth, function(req, res) {
// snip
});

Finally, we need to actually handle the login process. This is straightforward:

At any rate, this approach was mostly designed to be flexible and simple. I'm sure there are numerous ways to improve it. If you have any, I'd very much like your feedback.

EDIT: This is a simplified example. In a production system, you'd never want to store & compare passwords in plain text. As a commenter points out, there are libs that can help manage password security.

Here is some code for basic authentication from one of my projects. I use it against CouchDB with and additional auth data cache, but I stripped that code.

Wrap an authentication method around you request handling, and provide a second callback for unsuccessfull authentication. The success callback will get the username as an additional parameter. Don't forget to correctly handle requests with wrong or missing credentials in the failure callback:

I wanted to avoid basic auth in favor of form-based auth. This is definitely an elegant solution to the basic auth problem. I think I may have found a good auth framework though (connect-auth - sits on top of connectjs)
–
shredddAug 22 '10 at 6:40

There is a project called Drywall that implements a user login system with Passport and also has a user management admin panel. If you're looking for a fully-featured user authentication and management system similar to something like what Django has but for Node.js, this is it. I found it to be a really good starting point for building a node app that required a user authentication and management system. See Jared Hanson's answer for information on how Passport works.

A different take on authentication is Passwordless, a token-based authentication module for express that circumvents the inherent problem of passwords [1]. It's fast to implement, doesn't require too many forms, and offers better security for the average user (full disclosure: I'm the author).